summaryrefslogtreecommitdiffstats
path: root/modules/ta_update/ta_update.test.integr/rfc5011/genkeyszones.sh
diff options
context:
space:
mode:
Diffstat (limited to 'modules/ta_update/ta_update.test.integr/rfc5011/genkeyszones.sh')
-rwxr-xr-xmodules/ta_update/ta_update.test.integr/rfc5011/genkeyszones.sh174
1 files changed, 174 insertions, 0 deletions
diff --git a/modules/ta_update/ta_update.test.integr/rfc5011/genkeyszones.sh b/modules/ta_update/ta_update.test.integr/rfc5011/genkeyszones.sh
new file mode 100755
index 0000000..4a65469
--- /dev/null
+++ b/modules/ta_update/ta_update.test.integr/rfc5011/genkeyszones.sh
@@ -0,0 +1,174 @@
+#!/usr/bin/bash
+
+# First, generate DNSSEC keys with timers set to simulate 2017 KSK roll-over.
+# Second, fake system time to pretend that we are at the beginning on time slots
+# used during 2017 and sign our fake root zone.
+
+# Depends on libfaketime + dnssec-keygen and dnssec-signzone from BIND 9.11.
+
+# Output: Bunch of DNSSEC keys + several versions of signed root zone.
+
+set -o nounset -o errexit -o xtrace
+
+GEN="dnssec-keygen -K keys/ -a RSASHA256 -b 2048 -L 21d"
+
+function usage {
+ echo -e "Usage: $0 <option>\n\n\
+Option:\n\
+\t--help\t\t\tShow this help.
+\t--rollover\t\tGenerate files for rollover test.\n\
+\t--unmanagedkey-present\tGenerate files for present new unmanaged key.\n\
+\t--unmanagedkey-missing\tGenerate files for missing unmanaged key.\n\
+\t--unmanagedkey-revoke\tGenerate files for revoked unmanaged key."
+}
+
+function sign () {
+ OUTFILE="$(echo "$1" | sed 's/[- :]//g').db"
+ TZ=UTC \
+ LD_PRELOAD="/usr/lib64/faketime/libfaketimeMT.so.1" \
+ FAKETIME="$1" \
+ dnssec-signzone \
+ -K keys/ \
+ -o . \
+ -S \
+ -T 21d \
+ -s now \
+ -e +14d \
+ -X +21d \
+ -O full \
+ -f "${OUTFILE}" \
+ "$2"
+
+ # DS for the very first KSK
+ test ! -f keys/ds && dnssec-dsfromkey -2 -f "${OUTFILE}" . > keys/ds || : initial DS RR already exists
+}
+
+function test_rollover {
+ # old KSK
+ ${GEN} -f KSK -P 20100715000000 -A 20100715000000 -I 20171011000000 -R 20180111000000 -D 20180322000000 .
+ # new KSK
+ ${GEN} -f KSK -P 20170711000000 -A 20171011000000 .
+
+ # ZSK before roll-over: 2017-Q2
+ ${GEN} -P 20170320000000 -A 20170401000000 -I 20170701000000 -D 20170711000000 .
+ # ZSK-q1: 2017-Q3
+ ${GEN} -P 20170621000000 -A 20170701000000 -I 20171001000000 -D 20171011000000 .
+ # ZSK-q2: 2017-Q4
+ ${GEN} -P 20170919000000 -A 20171001000000 -I 20180101000000 -D 20180111000000 .
+ # ZSK-q3: 2018-Q1
+ ${GEN} -P 20171220000000 -A 20180101000000 -I 20180401000000 -D 20180411000000 .
+ # ZSK: 2018-Q2
+ ${GEN} -P 20180322000000 -A 20180401000000 .
+
+
+ # hopefully slots according to
+ # https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf
+ # https://data.iana.org/ksk-ceremony/29/KC29_Script_Annotated.pdf
+ sign "2017-07-01 00:00:00" # 2017 Q3 slot 1
+ sign "2017-07-11 00:00:00" # 2017 Q3 slot 2
+ sign "2017-07-21 00:00:00" # 2017 Q3 slot 3
+ sign "2017-07-31 00:00:00" # 2017 Q3 slot 4
+ sign "2017-08-10 00:00:00" # 2017 Q3 slot 5
+ sign "2017-08-20 00:00:00" # 2017 Q3 slot 6
+ sign "2017-08-30 00:00:00" # 2017 Q3 slot 7
+ sign "2017-09-09 00:00:00" # 2017 Q3 slot 8
+ sign "2017-09-19 00:00:00" # 2017 Q3 slot 9
+
+ sign "2017-10-01 00:00:00" # 2017 Q4 slot 1
+ sign "2017-10-11 00:00:00" # 2017 Q4 slot 2
+ sign "2017-10-21 00:00:00" # 2017 Q4 slot 3
+ sign "2017-10-31 00:00:00" # 2017 Q4 slot 4
+ sign "2017-11-10 00:00:00" # 2017 Q4 slot 5
+ sign "2017-11-20 00:00:00" # 2017 Q4 slot 6
+ sign "2017-11-30 00:00:00" # 2017 Q4 slot 7
+ sign "2017-12-10 00:00:00" # 2017 Q4 slot 8
+ sign "2017-12-20 00:00:00" # 2017 Q4 slot 9
+
+ # 2018-01-01 00:00:00 # 2018 Q1 slot 1
+ # 2018-01-11 00:00:00 # 2018 Q1 slot 2
+ # 2018-01-21 00:00:00 # 2018 Q1 slot 3
+ # 2018-01-31 00:00:00 # 2018 Q1 slot 4
+ # 2018-02-10 00:00:00 # 2018 Q1 slot 5
+ # 2018-02-20 00:00:00 # 2018 Q1 slot 6
+ # 2018-03-02 00:00:00 # 2018 Q1 slot 7
+ # 2018-03-12 00:00:00 # 2018 Q1 slot 8
+ # 2018-03-22 00:00:00 # 2018 Q1 slot 9
+}
+
+function test_unmanagedkey_present {
+ # old KSK
+ ${GEN} -f KSK -P 20100715000000 -A 20100715000000 -I 20171011000000 -R 20180111000000 -D 20180322000000 .
+ # new KSK
+ ${GEN} -f KSK -P 20170711000000 -A 20171011000000 .
+
+ # ZSKs
+ ${GEN} -P 20170621000000 -A 20170701000000 -I 20171001000000 -D 20171011000000 .
+ ${GEN} -P 20170919000000 -A 20171001000000 -I 20180101000000 -D 20180111000000 .
+
+ sign "2017-07-01 00:00:00" unsigned_ok.db
+ sign "2017-07-11 00:00:00" unsigned_ok.db # present key is seen 10 days
+ sign "2017-07-21 00:00:00" unsigned_check.db # last edited message for check result from deckard
+}
+
+function test_unmanagedkey_revoke {
+ # old KSK
+ ${GEN} -f KSK -P 20100715000000 -A 20100715000000 -I 20171011000000 -R 20180111000000 -D 20180322000000 .
+ # revoked KSK
+ ${GEN} -f KSK -P 20100715000000 -A 20100715000000 -I 20171011000000 -R 20170710000000 -D 20180322000000 .
+
+ # ZSKs
+ ${GEN} -P 20170621000000 -A 20170701000000 -I 20171001000000 -D 20171011000000 .
+ ${GEN} -P 20170919000000 -A 20171001000000 -I 20180101000000 -D 20180111000000 .
+
+ sign "2017-07-01 00:00:00" unsigned_ok.db
+ sign "2017-07-11 00:00:00" unsigned_ok.db # revoke key is seen 10 days
+ sign "2017-07-21 00:00:00" unsigned_check.db # last edited message for check result from deckard
+}
+
+function test_unmanagedkey_missing {
+ # old KSK
+ ${GEN} -f KSK -P 20100715000000 -A 20100715000000 -I 20171011000000 -R 20180111000000 -D 20180322000000 .
+ # missing KSK
+ ${GEN} -f KSK -P 20100715000000 -A 20100715000000 -I 20171011000000 -R 20180111000000 -D 20170710000000 .
+
+ # ZSKs
+ ${GEN} -P 20170621000000 -A 20170701000000 -I 20171001000000 -D 20171011000000 .
+ ${GEN} -P 20170919000000 -A 20171001000000 -I 20180101000000 -D 20180111000000 .
+
+ sign "2017-07-01 00:00:00" unsigned_ok.db
+ sign "2017-07-11 00:00:00" unsigned_ok.db # missing key is seen 10 days
+ sign "2017-07-21 00:00:00" unsigned_check.db # last edited message for check result from deckard
+}
+
+if [ $# -ne 1 ]; then
+ usage
+ exit 0
+fi
+
+rm -f 20*.db
+rm -f keys/K*
+rm -f keys/ds
+mkdir -p keys/
+
+case $1 in
+ --rollover)
+ test_rollover
+ ;;
+ --unmanagedkey-present)
+ test_unmanagedkey_present
+ #test_rollover
+ ;;
+ --unmanagedkey-revoke)
+ test_unmanagedkey_revoke
+ ;;
+ --unmanagedkey-missing)
+ test_unmanagedkey_missing
+ ;;
+ --help|-h)
+ usage
+ ;;
+ *)
+ echo -e "Unknown option !\n\n"
+ usage
+ ;;
+esac
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-06 23:00:24 +0000